Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
A legitimate buyer is not necessarily an ethical buyer. Demand to know
the buyer first, then do your homework. As always, proceed with caution.
- Jim
Simon Smith wrote:
> Amen!
> KF is 100% on the money. I can arrange the legitimate purchase of most
> working exploits for significantly more money than iDefense, In some cases
> over $75,000.00 per purchase. The company that I am working with has a
> relationship with a legitimate buyer, all transactions are legal. If you're
> interested contact me and we'll get the ball rolling.
>
> -Simon
>
>
> $8000.00 USD is low!
>
> On 1/16/07 12:29 PM, "K F (lists)" <kf_lists@xxxxxxxxxxxxxxxxxxx> wrote:
>
>
>> No offense to iDefense as I have used their services in the past... but
>> MY Q1 2007 Challenge to YOU is to start offering your researchers more
>> money in general! I've sold remotely exploitable bugs in random 3rd
>> party products for more $$ than you are offering for these Vista items
>> (see the h0n0 #3). I really think you guys are devaluing the exploit
>> market with your low offers... I've had folks mail me like WOW iDefense
>> offered me $800 for this remote exploit. Pfffttt not quite.
>>
>> We all know black hats are selling these sploits for <=$25k so why
>> should the legit folks settle for anything less? As an example the guys
>> at MOAB kicked around selling a Quicktime bug to iDefense but in the end
>> we decided it was not worth it due to low pay...
>>
>> Low Pay == Not getting disclosed via iDefense....
>>
>> -KF
>>
>>
>>
>>> I know someone who will pay significantly more per vulnerability against the
>>> same targets.
>>>
>>>
>>> On 1/10/07 12:27 PM, "contributor" <Contributor@xxxxxxxxxxxx> wrote:
>>>
>>>
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>
>>>>
>>> Hash: SHA1
>>>
>>> Also available at:
>>>
>>>
>>>
>>>
>>>> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+cha
>>>> ll
>>>> enge
>>>>
>>>>
>>> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
>>>
>>>
>>>> in
>>>>
>>>>
>>> Vista & IE 7.0*
>>>
>>> Both Microsoft Internet Explorer and Microsoft Windows
>>>
>>>
>>>> dominate their
>>>>
>>>>
>>> respective markets, and it is not surprising that the decision
>>>
>>>
>>>> to
>>>>
>>>>
>>> update to the current release of Internet Explorer 7.0 and/or Windows
>>> Vista
>>>
>>>
>>>> is fraught with uncertainty. Primary in the minds of IT
>>>>
>>>>
>>> security
>>>
>>>
>>>> professionals is the question of vulnerabilities that may be
>>>>
>>>>
>>> present in these
>>>
>>>
>>>> two groundbreaking products.
>>>>
>>>>
>>> To help assuage this uncertainty, iDefense Labs
>>>
>>>
>>>> is pleased to announce
>>>>
>>>>
>>> the Q1, 2007 quarterly challenge.
>>>
>>> Remote Arbitrary
>>>
>>>
>>>> Code Execution Vulnerabilities in Vista and IE 7.0
>>>>
>>>>
>>> Vulnerability
>>>
>>>
>>>> Challenge:
>>>>
>>>>
>>> iDefense will pay $8,000 for each submitted vulnerability that
>>>
>>>
>>>> allows
>>>>
>>>>
>>> an attacker to remotely exploit and execute arbitrary code on either
>>> of
>>>
>>>
>>>> these two products. Only the first submission for a given
>>>>
>>>>
>>> vulnerability will
>>>
>>>
>>>> qualify for the award, and iDefense will award no
>>>>
>>>>
>>> more than six payments of
>>>
>>>
>>>> $8000. If more than six submissions
>>>>
>>>>
>>> qualify, the earliest six submissions
>>>
>>>
>>>> (based on submission date and
>>>>
>>>>
>>> time) will receive the award. The iDefense Team
>>>
>>>
>>>> at VeriSign will be
>>>>
>>>>
>>> responsible for making the final determination of whether
>>>
>>>
>>>> or not a
>>>>
>>>>
>>> submission qualifies for the award. The criteria for this phase
>>>
>>>
>>>> of
>>>>
>>>>
>>> the challenge are:
>>>
>>> I) Technologies Covered:
>>> - - Microsoft Internet
>>>
>>>
>>>> Explorer 7.0
>>>>
>>>>
>>> - - Microsoft Windows Vista
>>>
>>> II) Vulnerability Challenge
>>>
>>>
>>>> Ground Rules:
>>>>
>>>>
>>> - - The vulnerability must be remotely exploitable and must
>>>
>>>
>>>> allow
>>>>
>>>>
>>> arbitrary code execution in a default installation of one of
>>>
>>>
>>>> the
>>>>
>>>>
>>> technologies listed above
>>> - - The vulnerability must exist in the
>>>
>>>
>>>> latest version of the
>>>>
>>>>
>>> affected technology with all available patches/upgrades
>>>
>>>
>>>> applied
>>>>
>>>>
>>> - - 'RC' (Release candidate), 'Beta', 'Technology Preview'
>>>
>>>
>>>> and
>>>>
>>>>
>>> similar versions of the listed technologies are not included in
>>>
>>>
>>>> this
>>>>
>>>>
>>> challenge
>>> - - The vulnerability must be original and not previously
>>>
>>>
>>>> disclosed
>>>>
>>>>
>>> either publicly or to the vendor by another party
>>> - - The
>>>
>>>
>>>> vulnerability cannot be caused by or require any additional
>>>>
>>>>
>>> third party
>>>
>>>
>>>> software installed on the target system
>>>>
>>>>
>>> - - The vulnerability must not
>>>
>>>
>>>> require additional social engineering
>>>>
>>>>
>>> beyond browsing a malicious
>>>
>>>
>>>> site
>>>>
>>>>
>>> Working Exploit Challenge:
>>> In addition to the $8000 award for the
>>>
>>>
>>>> submitted vulnerability,
>>>>
>>>>
>>> iDefense will pay from $2000 to $4000 for working
>>>
>>>
>>>> exploit code that
>>>>
>>>>
>>> exploits the submitted vulnerability. The arbitrary code
>>>
>>>
>>>> execution
>>>>
>>>>
>>> must be of an uploaded non-malicious payload. Submission of
>>>
>>>
>>>> a
>>>>
>>>>
>>> malicious payload is grounds for disqualification from this phase of
>>> the
>>>
>>>
>>>> challenge.
>>>>
>>>>
>>> I) Technologies Covered:
>>> - - Microsoft Internet Explorer 7.0
>>> -
>>>
>>>
>>>> - Microsoft Windows Vista
>>>>
>>>>
>>> II) Working Exploit Challenge Ground
>>>
>>>
>>>> Rules:
>>>>
>>>>
>>> Working exploit code must be for the submitted vulnerability only
>>>
>>>
>>>>
>>>>
>>>>
>>> iDefense will not consider exploit code for existing vulnerabilities
>>> or new
>>>
>>>
>>>> vulnerabilities submitted by others. iDefense will consider
>>>>
>>>>
>>> one and only one
>>>
>>>
>>>> working exploit for each original vulnerability
>>>>
>>>>
>>> submitted.
>>>
>>> The minimum award
>>>
>>>
>>>> for a working exploit is $2000. In addition to the
>>>>
>>>>
>>> base award, additional
>>>
>>>
>>>> amounts up to $4000 may be awarded based upon:
>>>>
>>>>
>>> - - Reliability of the
>>>
>>>
>>>> exploit
>>>>
>>>>
>>> - - Quality of the exploit code
>>> - - Readability of the exploit
>>>
>>>
>>>> code
>>>>
>>>>
>>> - - Documentation of the exploit code
>>>
>>>
>>> -----BEGIN PGP
>>>
>>>
>>>> SIGNATURE-----
>>>>
>>>>
>>> Version: GnuPG v1.4.3 (MingW32)
>>> Comment: Using GnuPG with
>>>
>>>
>>>> Mozilla - http://enigmail.mozdev.org
>>>>
>>>>
>>>
>>> iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
>>> QkO9IXq+PsC6
>>>
>>>
>>>> bMKg7j6Dwfw=
>>>>
>>>>
>>> =N0am
>>> -----END PGP
>>>
>>>
>>>> SIGNATURE-----
>>>>
>>>>
>>> _______________________________________________
>>> Full-Disclosur
>>>
>>>
>>>> e - We believe in it.
>>>>
>>>>
>>> Charter:
>>>
>>>
>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>
>>>>
>>> Hosted and sponsored by
>>>
>>>
>>>> Secunia - http://secunia.com/
>>>>
>>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>
>
>
>
>
--
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim@xxxxxxxxxx
808.652.3805